[Fedora-directory-commits] ldapserver/ldap/servers/slapd add.c, 1.17, 1.18 modrdn.c, 1.12, 1.13

Mon Jan 5 16:57:06 UTC 2009

Author: nkinder

Update of /cvs/dirsec/ldapserver/ldap/servers/slapd
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv20204/ldap/servers/slapd

Modified Files:
	add.c modrdn.c 
Log Message:
Resolves: 474621
Summary: Don't allow auto-generated attributes to be used in RDN.



Index: add.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/add.c,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18

--- add.c	19 Dec 2008 17:07:26 -0000	1.17
+++ add.c	5 Jan 2009 16:57:03 -0000	1.18
@@ -68,6 +68,7 @@
 static int add_internal_pb (Slapi_PBlock *pb);
 static void op_shared_add (Slapi_PBlock *pb);
 static void add_created_attrs(Operation *op, Slapi_Entry *e);
+static int check_rdn_for_created_attrs(Slapi_Entry *e);
 static void handle_fast_add(Slapi_PBlock *pb, Slapi_Entry *entry);
 static void add_uniqueid (Slapi_Entry *e);
 static PRBool check_oc_subentry(Slapi_Entry *e, struct berval	**vals, char *normtype);
@@ -176,17 +177,25 @@
 				goto free_and_return;
 			}
 
-            /* if this is uniqueid attribute, set uniqueid field of the entry */
-            if (strcasecmp (normtype, SLAPI_ATTR_UNIQUEID) == 0)
-            {
-                e->e_uniqueid = slapi_ch_strdup (vals[0]->bv_val);
-            }
-	    if(searchsubentry) searchsubentry=check_oc_subentry(e,vals,normtype);
+			/* if this is uniqueid attribute, set uniqueid field of the entry */
+			if (strcasecmp (normtype, SLAPI_ATTR_UNIQUEID) == 0)
+			{
+				e->e_uniqueid = slapi_ch_strdup (vals[0]->bv_val);
+			}
+			if(searchsubentry) searchsubentry=check_oc_subentry(e,vals,normtype);
 		}
+
 		slapi_ch_free( (void**)&normtype );
 		ber_bvecfree( vals );
 	}
 
+	/* Ensure that created attributes are not used in the RDN. */
+	if (check_rdn_for_created_attrs(e)) {
+		op_shared_log_error_access (pb, "ADD", slapi_sdn_get_dn(slapi_entry_get_sdn_const(e)), "invalid DN");
+		send_ldap_result( pb, LDAP_INVALID_DN_SYNTAX, NULL, "illegal attribute in RDN", 0, NULL );
+		goto free_and_return;
+	}
+
 	if ( tag == LBER_DEFAULT ) {
 		op_shared_log_error_access (pb, "ADD", slapi_sdn_get_dn (slapi_entry_get_sdn_const(e)), "decoding error");
 		send_ldap_result( pb, LDAP_PROTOCOL_ERROR, NULL,
@@ -723,6 +732,40 @@
 }
 
 
+/* Checks if created attributes are used in the RDN.
+ * Returns 1 if created attrs are in the RDN, and
+ * 0 if created attrs are not in the RDN. Returns
+ * -1 if an error occurred.
+ */
+static int check_rdn_for_created_attrs(Slapi_Entry *e)
+{
+    int i, rc = 0;
+    Slapi_RDN *rdn = NULL;
+    char *value = NULL;
+    char *type[] = {SLAPI_ATTR_UNIQUEID, "modifytimestamp", "createtimestamp",
+                   "creatorsname", "modifiersname", 0};
+
+    if (rdn = slapi_rdn_new()) {
+        slapi_rdn_init_dn(rdn, slapi_entry_get_dn_const(e));
+
+        for (i = 0; type[i] != NULL; i++) {
+            if (slapi_rdn_contains_attr(rdn, type[i], &value)) {
+                LDAPDebug(LDAP_DEBUG_TRACE, "Invalid DN. RDN contains %s attribute\n", type[i], 0, 0);
+                rc = 1;
+                break;
+            }
+        }
+
+        slapi_rdn_free(&rdn);
+    } else {
+        LDAPDebug(LDAP_DEBUG_TRACE, "check_rdn_for_created_attrs: Error allocating RDN\n", 0, 0, 0);
+        rc = -1;
+    }
+
+    return rc;
+}
+
+
 static void handle_fast_add(Slapi_PBlock *pb, Slapi_Entry *entry)
 {
     Slapi_Backend *be;


Index: modrdn.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/modrdn.c,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- modrdn.c	5 Dec 2008 22:41:52 -0000	1.12
+++ modrdn.c	5 Jan 2009 16:57:03 -0000	1.13
@@ -64,6 +64,7 @@
 /* Forward declarations */
 static int rename_internal_pb (Slapi_PBlock *pb);
 static void op_shared_rename (Slapi_PBlock *pb, int passin_args );
+static int check_rdn_for_created_attrs(const char *newrdn);
 
 /* This function is called to process operation that come over external connections */
 void
@@ -151,10 +152,11 @@
 	op_shared_rename(pb, 1 /* pass in ownership of string arguments */ );
 	return;
 
-free_and_return:;
+free_and_return:
 	slapi_ch_free((void **) &dn );
 	slapi_ch_free((void **) &newrdn );
 	slapi_ch_free((void **) &newsuperior );
+	return;
 }
 
 /* This function is used to issue internal modrdn operation
@@ -386,6 +388,12 @@
 		ldap_value_free(rdns);
 	}
 
+	/* check if created attributes are used in the new RDN */
+	if (check_rdn_for_created_attrs((const char *)newrdn)) {
+		send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, NULL, "invalid attribute in RDN", 0, NULL);
+		goto free_and_return_nolock;
+	}
+
 	/* check that the dn is formatted correctly */
 	if ((rdns = ldap_explode_dn(newsuperior, 0)) == NULL) 
 	{
@@ -536,3 +544,35 @@
 		slapi_ch_free((void **)&s);
 	}
 }
+
+
+/* Checks if created attributes are used in the RDN.
+ * Returns 1 if created attrs are in the RDN, and
+ * 0 if created attrs are not in the RDN. Returns
+ * -1 if an error occurs.
+ */
+static int check_rdn_for_created_attrs(const char *newrdn)
+{
+	int i, rc = 0;
+	Slapi_RDN *rdn = NULL;
+	char *value = NULL;
+	char *type[] = {"modifytimestamp", "createtimestamp",
+			"creatorsname", "modifiersname", 0};
+
+	if (newrdn && *newrdn && (rdn = slapi_rdn_new())) {
+		slapi_rdn_init_dn(rdn, newrdn);
+		for (i = 0; type[i] != NULL; i++) {
+			if (slapi_rdn_contains_attr(rdn, type[i], &value)) {
+				LDAPDebug(LDAP_DEBUG_TRACE, "Invalid DN. RDN contains %s attribute\n", type[i], 0, 0);
+				rc = 1;
+				break;
+			}
+		}
+		slapi_rdn_free(&rdn);
+	} else {
+		LDAPDebug(LDAP_DEBUG_TRACE, "check_rdn_for_created_attrs: Error allocating RDN\n", 0, 0, 0);
+		rc = -1;
+	}
+
+	return rc;
+}


